Received my highest every bounty today of $45k.

Exploring the DOMPurify library: Hunting for Misconfigurations (2/2). Tags: Exploring the DOMPurify library: Hunting for Misconfigurations (2/2)

Exploring the DOMPurify library: Hunting for Misconfigurations mizu.re/post/explori...

Project successful. Found my first bug using an LLM!

It's a shame there are no maintained Langchain implementations for Go. Had to switch to Node because of the limitations with the current, unmaintained Go library.

I suppose the solution to this is error handling where you let the LLM know the file they specified wasn't found. It's just such an odd concept and feels completely different than any programming I've done in the past.

I don't know if success rates improve with more expensive models like o1 or o1-mini, but 4o is not consistent for me. Supplying the ability for it to fetch files works 90% of the time, but other times it'll add an extra comment after the filename, causing an error.

My project this week includes Langchain project to analyze javascript files.

I've actually had some pretty good results so far. Having an LLM make decisions in a program's execution is really interesting and useful (when it works).

Though, I have no idea how anyone uses this in production.

Do you still participate in Bug Bounty?

Slow bug bounty year for myself. 2024 stats...

5 lows
4 mediums
9 highs
3 criticals

While my number of submissions was very low, my average bounty was around $11,200, allowing me to only submit a couple bugs a month without feeling too bad.

I'm kind of surprised. At this point, I can cause all `if` and `switch` branches to execute, I ignore `break`s, and ignore `return`s that don't have a value. I was expecting websites to completely break, but they're almost all completely functional.

Neat.

What are US based bug bounty hunters doing full time nowadays? Full time bug bounty? Security engineering? Research?

Thanks! I'm going to try this.

I have severely underestimated the difficulty of this.

State of the art XSS using the ISO-2022-JP charset

hackvertor.co.uk/hack-pad/2

I got this to run, but it doesn't work as well as I'd like. Decided to modify v8 myself and rebuild Chromium, which has actually been a lot of fun.

USENIX Security '24 - FV8: A Forced Execution JavaScript Engine for Detecting Evasive Techniques YouTube video by USENIX

Beyond that research paper (which unfortunately, the code is not open source), I found this recent talk: www.youtube.com/watch?v=kQOM...

That has an open source solution (I have yet to test): github.com/wspr-ncsu/FV8

It actually seems like something like this has been implemented before for malware analysis: chungkim.io/doc/www17-jf...

For additional context, I'd like code like so...

if (false) alert('x');

to execute the `alert` despite the false condition.

Unless there's some magic functionality that allows this in extensions that I'm unaware of, the only other thing I can think of is modifying an existing browser's functionality, which I'd really like to avoid.

I want a way to change code execution flow of javascript within the browser. I'd love to be able to do this through an extension, but there seem to be too many limitations (i.e. no ability to monitor / modify conditional statements at runtime).

I'd like to avoid a simple match replace. Any ideas?

Thanks!

The configuration options in "Settings > Tools > Proxy Default Proxy history message display". We can act separately on Websocket messages, HTTP requests and HTTP responses

We can now configure what version of messages should be displayed in Proxy History 🥳

I bought a year of Burp Suite Pro for almost 1 BTC.

If some of their users become upset, meh, who cares. If some of their large b2b customers become upset, that's a much bigger issue.

Starting to think of bug severity in terms of "how might this affect shareholder price". At the end of the day, that's all that the companies who determine your bounty amount care about. Your data is already public from other breaches, but those breaches may not be associated to that company (yet).

👋

I've been seen.

Post a pic YOU took (no description) to bring some zen to the timeline